On Day 13 of the Cybersecurity Awareness month, we present to you a Microsoft 365 user off-boarding script that incorporates the best practices suggested by sysadmins the world over. Easen your workload in a safe and secure manner. Stay tuned for more in the M365 cybersecurity blog series
The process of removing or ‘offboarding’ a former employee is a very important one. Any neglect in user deprovisioning can make the company run the risk of losing critical data associated with its account. It can also expose the organization to security threats.
Is There a Standardized M365 Off-boarding Process?
The problem with offboarding is that every administrator has their own process. There is no single standardized way. A disadvantage that arises due to this is the difficulty to qualitatively assess an off-boarding process.
Because there is no standard to assess quality, two or more processes can be compared only based on their quickness, secureness and comprehensiveness.
How Do I Make My Microsoft 365 Off-boarding Process Quicker and Better?
An admin would definitely know how slow and error prone a manual Microsoft 365 user offboarding process is.
To simplify the work of offboarding an M365 user, we have developed a PowerShell script that makes offboarding quick and secure. With the script, you can automate 14 user offboarding best practices.
Below are the things you can do with the script:
- Disable the user account: Block the offboarded employee from accessing their Microsoft 365 user account.
- Reset password: Reset the password of the user to a random value.
- Reset office name: Reset the office location of the offboarded user.
- Remove mobile number: Remove the personal mobile number associated with the user account.
- Remove group memberships: Strip the offboarded employee of all Microsoft 365 group memberships.
- Remove application role assignments: Remove all application specific roles assigned to a user.
- Remove admin roles: Remove all the administrative roles assigned to the user account.
- Hide from address lists: Hide the user account from all address lists in your Microsoft 365 environment.
- Remove email aliases: Remove all the email aliases associated with the user account in your environment.
- Wipe mobile device: Remotely wipe mobile devices associated with the account.
- Delete inbox rule: Remove all existing inbox rules set by the user.
- Convert to shared mailbox: Change the email inbox of the user to a shared one.
- Remove License: Revoke the Microsoft 365 license assigned to the offboarded employee.
- Sign out from all user sessions: Easily sign out the user from all his user sessions with one click.
- All operations: Perform all the above listed operations in one go as well.
While we always desire quicker and better ways of doing things, it is always good to know how to do it the conventional way. You can check one of our earlier blogs on deprovisioning Microsoft 365 users manually for specific details.
Download Script: M365UserOffboarding.ps1
Automate Employee Offboarding in Microsoft 365 – Script Execution
The script can be executed in PowerShell with the following command:
1 |
./M365UserOffBoarding.ps1 |
The script then prompts for the UPN (User Principal name) of the user to be off-boarded. You can also specify multiple user accounts here. Make sure to separate each UPN by a comma.
Example: avidem@contoso.onmicrosoft.com, elara@contoso.onmicrosoft.com
You are then prompted for the action that you need to perform. Choose Option 15 to perform all the operations in one go.
You can also choose to carry out specific operations or their combinations by passing the respective numbers.
Sample Output Report
Based on the action performed and its successful completion, the following output files are generated:
- Microsoft 365 Offboarding Status Report: ‘M365UserOffBoarding_StatusFile.csv’ contains details on the status of each operation.
- Password Reset Log File: ‘PasswordLogFile.txt’ contains the list of random passwords set for each user. This file is generated when the ‘Password Reset to Random’ operation is performed.
- Invalid Users Log File: ‘InvalidUsersLogFile.txt’ contains the list of invalid UPN’s entered.
How Microsoft 365 Offboarding Can Be Made Even Quicker and Safer?
1. Offboard bulk Microsoft 365 users at once (Import CSV)
Sometimes multiple user accounts may need to be offboarded at once. Doing this manually is a tedious task. Even using the script, it might still be difficult to do and re-do operations for multiple users.
To simplify your work, use the –CSVFilePath parameter and import the bulk user accounts to be offboarded. Everything can be accomplished in a single run of the script.
1 2 |
./M365UserOffBoarding.ps1 -CSVFilePath <csvfilepath> |
Format your bulk user CSV file without any headers. An image is given for reference.
2. Use certificate-based authentication to offboard users
You can use such Entra ID applications to leverage the enhanced security of OAuth2.0 authentication through our script.
To point to an application, use the –ClientID and –CertificateThumbprint parameters and provide the specific values.
1 2 |
./M365UserOffBoarding.ps1 -ClientID <value> –CertificateThumbprint <value> -TenantID <value> |
Note: To perform any action using certificate-based authentication, the calling application must be assigned the User.ReadWrite.All app permission and at least the User Administrator Entra ID role.
Conclusion
Be it Microsoft 365 user on-boarding or offboarding, it is important for any M365 administrator to have a quick, fool-proof process to get the job done without any issue. I hope this script has been a good supplement to your offboarding process. Also for a codeless solution, you can make use of lifecycle workflows to automate M365 offboarding process. Furthermore, feel free to share your comments and questions.